1/14/2009 @ 6:17PM

Gadgets That Really Know You

At the Consumer Electronics Show in Las Vegas earlier this month, Fujitsu showed off a new idea in security-minded technology that the Japanese company argues could make the fingerprint an obsolete symbol of personal data: vein-pattern recognition.

Put your hand over a computer’s mouse and an infrared camera shines an invisible light onto–and through–your palm. By measuring where that light is absorbed and reflected, the system maps the veins in your hand, a collection of crisscrossing lines that Fujitsu claims can reliably identify a user far more accurately than scanning the whorls or loops on his or her fingertip.

That innovative system, which Fujitsu calls Palmsecure, has been sold in its mouse-embedded form in the U.S. since August of last year. It’s not cheap: A single mouse and software setup costs around $430 dollars.

But according to Fujitsu’s tests, vein pattern recognition can identify a user on the first try 99.99% of the time and mistakenly approves the wrong user in only .00008% of cases, far less often than fingerprint scanners.

“To get beyond this in terms of accuracy, you’d have to look to DNA,” says Joel Hagberg, Fujitsu’ vice president of marketing and business development.

Vein pattern recognition is the latest–and in some respects, most promising–attempt to reach the holy grail of cybersecurity, what professional digital paranoiacs call “three-factor” authentication.

To prove users’ identity and keep out intruding data thieves, a system would test them based on something they know (say, a password), something they have (such as the RSA tokens that show an encrypted, changing series of numbers) and, perhaps trickiest of all, something they are–a “biometric” test of their physical characteristics.

That last factor has traditionally meant verifying a fingerprint, or in some high-security government settings, a high-resolution photograph of an iris.

As cumbersome as that three-step process sounds, it may be increasingly important in keeping data secure, particularly in the business world. According to a report released earlier this month from the Identity Theft Resource Center, businesses suffered 646 data breach incidents in 2008, up almost 50% from 446 a year before.

The biggest culprit, accounting for far more breaches than hacking, was what the report calls “data on the move”–lost and stolen hardware filled with sensitive customer or employee data. And the number of breaches caused by insider data theft, often performed by employees who gained unauthorized access to their co-workers’ computers, also doubled over the last year.

But for biometrics to play a practical role in fixing those security leaks, systems vendors like Fujitsu will need to make the technology nearly invisible, rather than another annoying hindrance to getting the data employees need–hence a system that costs far more than a mere fingerprint reader but requires less effort on the part of the user.

That’s one reason why security company RSA is working on a technology that offers far less accuracy than a fingerprint interpretation, but also requires less work for the user, but offers far less accuracy than a fingerprint: what the company calls “gait recognition.”

To a certain degree, every individual has a different walking pattern, says Ari Juels, chief director of RSA Labs. Using the accelerometers in a phone built by handset-maker HTC, RSA’s researchers are attempting to detect that idiosyncratic movement as the phone bumps around in someone’s pocket, matching it with a user’s pre-recorded profile.

The result, says Juels, isn’t likely to add security, so much as make current measures slightly less vexing. If a user put a phone in his pocket while walking and then pulled it out a few moments later, the handset could recognize his or her particular gait and skip the typical password login. “The idea is that, if the phone doesn’t sense any tell-tale movements in the last few seconds, it locks down and requires a password,” Juels says. “Otherwise, it wouldn’t nag you.”

Toshiba
is trying a similarly seamless approach. In April, the electronics company released a new series of laptops that use embedded Webcams to capture a user’s face as he or she logs on.

The system is designed to offer convenience more than another layer of security: The face recognition step can replace a log-on password, or let users skip a swipe on the fingerprint reader that’s also built into most of Toshiba’s latest laptops.

“Our customers just want us to make life easier,” says Phillip Osako, Toshiba’s director of product marketing. “All the feedback we’ve been getting has been saying that it works well and it’s great not to have to remember a password.”

Toshiba won’t share data on its facial matching system’s accuracy. (Fujitsu, for its part, says its research in facial recognition has shown the technology to distinguish every one of about 100 individuals, compared with its vein recognition software’s ability to parse up to 10 million.) The company’s laptops include a disclaimer that warns users not to stop using Windows passwords for “high security purposes,” and adds that the technology won’t “accurately screen out unauthorized users at all times.”

The trick to combining facial recognition’s convenience with higher security–as in the case of vein recognition–could be looking beneath the surface. Professor Riad Hammoud, a researcher with Indiana University who now holds a post at
Delphi
Electronics and Safety in Kokomo, Ind., is working on a system that uses thermal and infrared cameras to look at the underlying heat patches, vein patterns and bone structures in faces.

“It’s not a fingerprint. It’s a faceprint,” Hammoud says. “Looking at the tissue behind the skin, we can see what may be a unique signature of the face that lets us distinguish people from each other.”

Delphi supplies technology to automakers, and Hammoud says this sort of facial recognition might show up in cars soon. Be he won’t say which of Delphi’s customers, which include Pontiac and Chevrolet, might be interested.

For now, Hammoud admits the technology still has hang-ups: The hot face of a test subject who has recently been to the gym is enough to throw off the tests. But with a bit more tweaking and a smarter combination of sensors, he hopes to reach biometrics’ goal of a cheap and unobtrusive way to accurately identify a user.

“The trend is to combine multiple sensors. No single measurement alone is good enough,” he says. “Instead, we’ll take as many measurements as possible and combine them intelligently to identify someone.”

And until then? Shave frequently, put off lasik surgery and try not to blush–or risk becoming a stranger to your favorite piece of technology.